Make sure to read this page before continuing.
Latest stable compiled version can be found here.
For A12-A14, and WiFi-only iPad restores - use the latest beta build for your platform here.
There are currently no pre-compiled beta builds for Windows.
Only use if you are sure what you're doing.
FutureRestore is a modified idevicerestore wrapper, which allows manually specifying SEP and Baseband for restoring. This allows unsigned firmwares to be restored onto devices, providing you have a backup of the APTicket (SHSH Blobs), and can recreate all the specific conditions of the APTicket e.g. ECID, APNonce, Board ID.
- Supports the following downgrade methods:
- Prometheus for 64-bit devices:
- Prometheus via APNonce recreation with the APNonce generator
- Prometheus via APNonce collision
- Odysseus for 32-bit & 64-bit (A7-A11) devices
- Re-restoring 32-bit devices to iOS 9.x with alitek123's no-ApNonce method (alternative — idevicererestore).
- Prometheus for 64-bit devices:
-
Make sure these are installed
- curl (Linux/Windows only, macOS already has curl preinstalled);
- openssl 1.1.1 (or CommonCrypto on macOS);
- libusb 1.0.24 (Linux/Windows only, macOS can use IOKit for libirecovery);
- libzip;
- libplist;
- libusbmuxd;
- libirecovery;
- libimobiledevice;
- libpng16;
- xpwn(fork);
- libgeneral;
- libfragmentzip;
- libinsn;
- lzfse;
- img4tool;
- liboffsetfinder64(fork));
- libipatcher(fork)
-
Make sure these projects compile on your system (install it's dependencies):
If you are cloning this repository you may run:
git clone -b test --recursive https://github.com/Mini-Exploit/futurerestore
which will clone these submodules for you.
Usage: futurerestore [OPTIONS] iPSW
option (short) | option (long) | description |
---|---|---|
-t |
--apticket PATH |
Signing tickets used for restoring, commonly known as blobs |
-u |
--update |
Update instead of erase install (requires appropriate APTicket) |
This parameter is recommended to not be used for downgrading. If you are jailbroken, make sure to have your orig-fs snapshot restored (Restore RootFS). | ||
-w |
--wait |
Keep rebooting until ApNonce matches APTicket (ApNonce collision, unreliable) |
-d |
--debug |
Show all code, use to save a log for debug testing |
-e |
--exit-recovery |
Exit recovery mode and quit |
--use-pwndfu |
Restoring devices with Odysseus method. Device needs to be in pwned DFU mode already | |
--no-ibss |
Restoring devices with Odysseus method. For checkm8/iPwnder32 specifically, bootrom needs to be patched already with unless iPwnder. | |
--rdsk PATH |
Set custom restore ramdisk for entering restoremode(requires use-pwndfu) | |
--rkrn PATH |
Set custom restore kernelcache for entering restoremode(requires use-pwndfu) | |
--set-nonce |
Set custom nonce from your blob then exit recovery(requires use-pwndfu) | |
--set-nonce=0xNONCE |
Set custom nonce then exit recovery(requires use-pwndfu) | |
--serial |
Enable serial during boot(requires serial cable and use-pwndfu) | |
--boot-args "BOOTARGS" |
Set custom restore boot-args(PROCEED WITH CAUTION)(requires use-pwndfu) | |
--no-cache |
Disable cached patched iBSS/iBEC(requires use-pwndfu) | |
--skip-blob |
Skip SHSH blob validation(PROCEED WITH CAUTION)(requires use-pwndfu) | |
--latest-sep |
Use latest signed SEP instead of manually specifying one | |
-s |
--sep PATH |
Manually specify SEP to be flashed |
-m |
--sep-manifest PATH |
BuildManifest for requesting SEP ticket |
--latest-baseband |
Use latest signed baseband instead of manually specifying one | |
-b |
--baseband PATH |
Manually specify baseband to be flashed |
-p |
--baseband-manifest PATH |
BuildManifest for requesting baseband ticket |
--no-baseband |
Skip checks and don't flash baseband | |
Only use this for device without a baseband (eg. iPod touch or Wi-Fi only iPads) |
- the destination firmware version is compatible with a currently signed SEP and baseband. Check whether your version is compatible here.
- if you have a signing tickets files with a generator for that specific firmware version.
- A jailbreak or an exploit that allows nonce setting.
- Signing ticket files (
.shsh
,.shsh2
,.plist
) with a generator- A12+ users must also have a valid APNonce / generator pair due to nonce entanglement. Only having an APNonce without a generator is not sufficient.
- A computer with a minimum of 8 gigabytes of free space + IPSW of the target version downloaded. You can find the IPSW for your device at IPSW.me.
- On Windows machines, make sure to have this version of iTunes installed. Using the Microsoft Store version will cause issues.
- Jailbreak your device if it isn't jailbroken already.
- Open your blob in any text editor and search for the word "generator". In most text editors you can use CTRL + F / CMD + F to look for it.
- This should be a
0x
followed by 16 characters, which will be a combination of letters and numbers.
-
Note that value down. This is your generator.
- NOTE: If there is no generator value, try to remember which jailbreak you were using at the time of saving blobs. If you were using unc0ver, your generator is most likely
0x1111111111111111
, and if you were using Chimera/Odyssey/Taurine, your generator is most likely0xbd34a880be0b53f3
.
- NOTE: If there is no generator value, try to remember which jailbreak you were using at the time of saving blobs. If you were using unc0ver, your generator is most likely
-
Set your device's APNonce generator. You can use your jailbreak tool to set your generator in its native settings. However, setting your generator with dimentio is recommended.
-
Connect your device in normal mode to computer - make sure the trust dialog is accepted.
-
Recommended: Make a full backup of your device before running futurerestore.
-
On the computer run:
futurerestore -t blob.shsh2 --latest-sep --latest-baseband -d target.ipsw
If you are upgrading and want to preserve user data you may run:
futurerestore -u -t blob.shsh2 --latest-sep --latest-baseband -d target.ipsw
To set generator with dimentio:
-
Open your package manager on your jailbroken iDevice
-
Add https://repo.1conan.com to your sources.
-
Add https://repo.chariz.com to your sources.
-
Download and install dimentio
-
Download and install NewTerm2
-
If you're on iOS 14.0 or above:
- Install
libkernrw
if you're using Taurine - Install
libkrw
if you're using unc0ver - checkra1n/odysseyra1n users don't need to install anything extra
- Install
-
Open NewTerm 2 on your iDevice and type the following command:
su root -c 'dimentio [generator]'
[generator]
should be the APNonce generator you just grabbed.
Example:
su root -c 'dimentio 0x1111111111111111'
-
When asked for a password, enter your root password
- By default, this is set to
alpine
- By default, this is set to
-
Near the end of the text, you should see the line
Set nonce to [generator].
This indicates that your generator has been set successfully.
Use jailbreak tools for setting boot-nonce generator:
- Meridian for iOS 10.x;
- backr00m or greeng0blin for tvOS 10.2-11.1;
- Electra and ElectraTV for iOS and tvOS 11.x;
- Chimera and ChimeraTV for iOS 12.0-12.5.4 (Nonce setter only supports on 12.1.2 - 12.4.1 on A12, and 12.1.3 - 12.5.4 is only supported on A7 - A11 devices.)
- Odyssey for iOS 13.0-13.7
- Note that there are some reported issues with Odyssey's generator setter. Using it is not recommended.
- Taurine for iOS 14.0-14.3
- unc0ver for iOS 11.0-14.3
Currently you can restore to the following versions with the latest SEP and baseband for your device:
Devices that only support up to iOS 12 (most A7 and A8 devices excluding iPad5,1 - iPad5,4): 11.3-12.5.4
A9 and A10: 14.0-14.7
A11 devices: 14.3-14.7
A12 devices and newer: 14.0-14.7
This problem occurs when the user tries to manually specify SEP from the target version, instead of from the latest available version. To fix this problem, either choose the latest-sep
argument or manually specify a SEP from the latest available iOS version.
NOTE: if the error is similarly named, follow these steps too.
If your device is in recovery mode:
- Run FutureRestore again while your device is in recovery mode.
If your device is not in recovery mode:
- Enter recovery mode manually, then run FutureRestore again.
This error means that you have not set your generator on your device to that of the blob. In order to solve this problem, you must set your generator with dimentio or any jailbreak tool.
- If after following the steps you still cannot resolve this issue, your generator may not correspond to its respective APNonce.
- If you saved blobs while unjailbroken on A12+ without getnonce or blobsaver v3, your APNonce/generator pair is invalid. This cannot be resolved.
- Leave the device plugged in, it'll stay on the Recovery screen;
- Head over to Device Manager under Control Panel in Windows;
- Locate "Apple Recovery (iBoot) USB Composite Device" (at the bottom);
- Right click and choose "Uninstall device". You may see a tick box that allows you to uninstall the driver software as well, tick that (all the three Apple mobile device entries under USB devices will disappear);
- Unplug the device and re-plug it in;
- Go back to futurerestore and send the restore command again (just press the up arrow to get it back, then enter).
- Error
-8
should now be fixed.
The fix for this is either waiting (it can take a very long time) or just re-trying the process. This is an error that has been diagnosed but no fix for it is available as of the time of writing this.
- Device with A7 chip on iOS 9.1 - 10.2 or iOS 10.3 beta 1;
- Jailbreak isn't required;
- Signing ticket files (
.shsh
,.shsh2
,.plist
) with a custom ApNonce; - Signing ticket files needs to have one of the APNonces which the device generates a lot;
You can downgrade if the destination firmware version, if it is compatible with the latest sep and baseband!. You also need to have special signing ticket files. If you don't know what this is, you probably can NOT use this method!
- Connect your device in normal or recovery mode;
- On the computer run
futurerestore -w -t ticket.shsh --latest-baseband --latest-sep firmware.ipsw
- If you have saved multiple signing tickets with different nonces you can specify more than
one to speed up the process:
futurerestore -w -t t1.shsh -t t2.shsh -t t3.shsh -t t4.shsh --latest-baseband --latest-sep firmware.ipsw
- A device with an A7 SoC:
- (iPhone 5s, iPad Air, iPad mini 2), A8 (iPhone 6 [+], iPad mini [2,3,4], iPod touch [6th generation]) and A8X (iPad Air 2) chips on all firmwares
- Devices that have been released after ~ September, 2015 {PROBABLY};
- Jailbreak isn't required;
- Signing ticket files (
.shsh
,.shsh2
,.plist
) with a customly chosen APNonce; - Signing ticket files needs to have one of the ApNonces, which the device generates a lot;
- img4tool can't be used for Windows [problem with signing iBSS/iBEC], now it's TO-DO;
You can downgrade if the destination firmware version, if it is compatible with the latest SEP and baseband. You also need to have special signing ticket files. If you don't know what this is, you probably can NOT use this method!
-
Connect your device in DFU mode;
-
Use irecovery for checking ApNonce, which booted in DFU;
-
Extract iBSS/iBEC from target firmware for downgrade (unsigned);
-
Check DFU-collisioned ApNonces with irecovery, which booted in DFU. You can't automatically collision DFU ApNonces.
If ApNonce is not collisioned, "use hands" for DFU booting.
If ApNonce is successfully collisioned, use this SHSH2 to sign iBSS/iBEC.
-
Use img4tool for sign iBSS:
img4tool -s ticket.shsh -c iBSS.signed -p <original_iBSS>
; -
Use img4tool for sign iBEC:
img4tool -s ticket.shsh -c iBEC.signed -p <original_iBEC>
; -
So, after signing we can boot into Recovery with irecovery.
irecovery -f iBSS.signed
- loading iBSS;irecovery -f iBEC.signed
- loading iBEC; -
So good! On the computer run
futurerestore -t ticket.shsh --latest-baseband --latest-sep -w firmware.ipsw
.
-
futurerestore compiled with libipatcher;
-
Jailbreak or bootrom exploit (limera1n, checkm8);
-
32-bit: firmware keys for the device/destination firmware version must be public (check ipsw.me)
-
64-bit: Signing ticket files (
.shsh
,.shsh2
,.plist
) for the destination firmware (OTA blobs work too!).
If you have a jailbroken device, you can downgrade to any firmware version you have blobs for, as long as the baseband is compatible, SEP does not have to be compatible.
You can still get OTA blobs for iOS 6.1.3, 8.4.1 or 10.3.3 for some devices and use those.
- Get device into kDFU/pwnDFU
- Pre-iPhone4s (limera1n devices):
- Enter to pwnDFU mode with redsn0w or any other tool
- iPhone 4s and later 32-bit devices:
- Enter to kDFU mode with kDFU app (cydia: repo.tihmstar.net) or by loading a pwnediBSS from any existing odysseus bundle
- Any 64-bit device:
- Enter to pwnDFU mode and patch signature check with special fork of ipwndfu
- Connect your device to computer in kDFU mode (or pwnDFU mode)
- On the computer run
futurerestore --use-pwndfu -t ticket.shsh --latest-baseband -d firmware.ipsw
- You can use any odysseus bundle for this.
- Jailbreak isn't required;
- Signing ticket files (
.shsh
,.shsh2
,.plist
) from by iOS 9.x without ApNonce (noNonce APTickets)
If you have signing ticket files for iOS 9.x, which do not contain a ApNonce, you can restore to that firmware.
- Connect your device in DFU mode
- On the computer run
futurerestore -t ticket.shsh --latest-baseband ios9.ipsw
Before you report an issue, please check that it is not mentioned in the Common Issues section. If it is not, you can report your issue here.